<html><head><title>Burp Scanner Report</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'none';img-src 'self' data:;style-src 'unsafe-inline'" />
<style type="text/css">
body { background: #dedede; font-family: 'Droid sans', Helvetica, Arial, sans-serif; color: #404042; -webkit-font-smoothing: antialiased; }
#container { width: 930px; padding: 0 15px; margin: 20px auto; background-color: #ffffff; }
table { font-family: Arial, sans-serif; }
a:link, a:visited { color: #ff6633; text-decoration: none; transform: 0.3s; }
a:hover, a:active { color: #e24920; text-decoration: underline; }
h1 { font-size: 1.6em; line-height: 1.4em; font-weight: normal; color: #404042; }
h2 { font-size: 1.3em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: normal; color: #404042;}
h4 { font-size: 1.0em; line-height: 1.2em; padding: 0; margin: 0.8em 0 0.3em 0; font-weight: bold; color: #404042;}
.rule { height: 0px; border-top: 1px solid #404042; padding: 0; margin: 20px -15px 0 -15px; }
.title { color: #ffffff; background: #ff6633; margin: 0 -15px 10px -15px; overflow: hidden; }
.title h1 { color: #ffffff; padding: 10px 15px; margin: 0; font-size: 1.8em; }
.title img { float: right; display: inline; padding: 1px; }
.heading { background: #404042; margin: 0 -15px 10px -15px; padding: 0; display: inline-block; overflow: hidden; }
.heading img { float: right; display: inline; margin: 8px 10px 0 10px; padding: 0; }
.code { font-family: 'Courier New', Courier, monospace; }
table.overview_table { border: 2px solid #e6e6e6; margin: 0; padding: 5px;}
table.overview_table td.info { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.info_end { padding: 5px; background: #dedede; text-align: right; border-top: 2px solid #ffffff; }
table.overview_table td.colour_holder { padding: 0px; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.overview_table td.colour_holder_end { padding: 0px; border-top: 2px solid #ffffff; }
table.overview_table td.label { padding: 5px; font-weight: bold; }
table.summary_table td { padding: 5px; background: #dedede; text-align: left; border-top: 2px solid #ffffff; border-right: 2px solid #ffffff; }
table.summary_table td.icon { background: #404042; }
.colour_block { padding: 5px; text-align: right; display: block; font-weight: bold; }
.high_certain { border: 2px solid #f00; background: #f00; }
.high_firm { border: 2px solid #f66; background: #f66; }
.high_tentative { border: 2px solid #fcc; background: #fcc; }
.medium_certain { border: 2px solid #f90; background: #f90; }
.medium_firm { border: 2px solid #ffc266; background: #ffc266; }
.medium_tentative { border: 2px solid #ffebcc; background: #ffebcc; }
.low_certain { border: 2px solid #fe0; background: #fe0; }
.low_firm { border: 2px solid #fff566; background: #fff566; }
.low_tentative { border: 2px solid #fffccc; background: #fffccc; }
.info_certain { border: 2px solid #ababab; background: #ababab; }
.info_firm { border: 2px solid #cdcdcd; background: #cdcdcd; }
.info_tentative { border: 2px solid #eee; background: #eee; }
.row_total { border: 1px solid #dedede; background: #fff; }
.grad_mark { padding: 4px; border-left: 1px solid #404042; display: inline-block; }
.bar { margin-top: 3px; }
.TOCH0 { font-size: 1.0em; font-weight: bold; word-wrap: break-word; }
.TOCH1 { font-size: 0.8em; text-indent: -20px; padding-left: 50px; margin: 0; word-wrap: break-word; }
.TOCH2 { font-size: 0.8em; text-indent: -20px; padding-left: 70px; margin: 0; word-wrap: break-word; }
.BODH0 { font-size: 1.6em; line-height: 1.2em; font-weight: normal; padding: 10px 15px; margin: 0 -15px 10px -15px; display: inline-block; color: #ffffff; background-color: #ff6633; width: 100%; word-wrap: break-word; }
.BODH0 a:link, .BODH0 a:visited, .BODH0 a:hover, .BODH0 a:active { color: #ffffff; text-decoration: none; }
.BODH1 { font-size: 1.3em; line-height: 1.2em; font-weight: normal; padding: 13px 15px; margin: 0 -15px 0 -15px; display: inline-block; width: 100%; word-wrap: break-word; }
.BODH1 a:link, .BODH1 a:visited, .BODH1 a:hover, .BODH1 a:active { color: #404042; text-decoration: none; }
.BODH2 { font-size: 1.0em; font-weight: bold; line-height: 2.0em; width: 100%; word-wrap: break-word; }
.PREVNEXT { font-size: 0.7em; font-weight: bold; color: #ffffff; padding: 3px 10px; border-radius: 10px;}
.PREVNEXT:link, .PREVNEXT:visited { color: #ff6633 !important; background: #ffffff !important; border: 1px solid #ff6633 !important; text-decoration: none; }
.PREVNEXT:hover, .PREVNEXT:active { color: #fff !important; background: #e24920 !important; border: 1px solid #e24920 !important; text-decoration: none; }
.TEXT { font-size: 0.8em; padding: 0; margin: 0; word-wrap: break-word; }
TD { font-size: 0.8em; }
.HIGHLIGHT { background-color: #fcf446; }
.rr_div { border: 2px solid #ff6633; width: 916px; word-wrap: break-word; -ms-word-wrap: break-word; margin: 0.8em 0; padding: 5px; font-size: 0.8em; max-height: 300px; overflow-y: auto; }

div.scan_issue_false_positive_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_high_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_info_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_low_tentative_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_certain_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_firm_rpt{width: 32px; height: 32px; background-image: url()}
div.scan_issue_medium_tentative_rpt{width: 32px; height: 32px; background-image: url()}


@media print {
    body { width: 100%; color: #000000; position: relative; }
    #container { width: 98%; padding: 0; margin: 0; }
    h1 { color: #000000; }
    h2 { color: #000000;}
    .rule { margin: 20px 0 0 0; }
    .title { color: #000000; margin: 0 0 10px 0; padding: 10px 0; }
    .title h1 { color: #000000; }
    .title img { margin: -3px 0; }
    .heading { margin: 0 0 10px 0; }
    .BODH0 { color: #000000; }
    .BODH1 { color: #000000; }
    .PREVNEXT { visibility: hidden; display: none; }
    .rr_div { width: 98%; margin: 0.8em auto; max-height: none !important; overflow: hidden; }
}

</style>
</head>
<body>
<div id="container">
<div class="title"><img src="" width="184" height="58"><h1>Burp Scanner Report</h1></div>
<h1>Summary</h1>
<span class="TEXT">The table below shows the numbers of issues identified in different categories. Issues are classified according to severity as High, Medium, Low or Information. This reflects the likely impact of each issue for a typical organization. Issues are also classified according to confidence as Certain, Firm or Tentative. This reflects the inherent reliability of the technique that was used to identify the issue.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="4" height="40" align="center" class="label">Confidence</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="82" height="30" class="info">Certain</td>
        <td width="82" height="30" class="info">Firm</td>
        <td width="82" height="30" class="info">Tentative</td>
        <td width="82" height="30" class="info_end">Total</td>
    </tr>
    <tr>
        <td rowspan="4" valign="middle" class="label">Severity</td>
        <td class="info" height="30">High</td>
        <td class="colour_holder"><span class="colour_block high_certain">1</span></td>
        <td class="colour_holder"><span class="colour_block high_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block high_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">1</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Medium</td>
        <td class="colour_holder"><span class="colour_block medium_certain">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_firm">0</span></td>
        <td class="colour_holder"><span class="colour_block medium_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">0</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Low</td>
        <td class="colour_holder"><span class="colour_block low_certain">0</span></td>
        <td class="colour_holder"><span class="colour_block low_firm">1</span></td>
        <td class="colour_holder"><span class="colour_block low_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">1</span></td>
    </tr>
    <tr>
        <td class="info" height="30">Information</td>
        <td class="colour_holder"><span class="colour_block info_certain">8</span></td>
        <td class="colour_holder"><span class="colour_block info_firm">2</span></td>
        <td class="colour_holder"><span class="colour_block info_tentative">0</span></td>
        <td class="colour_holder_end"><span class="colour_block row_total">10</span></td>
    </tr>
</table><br>
<span class="TEXT">The chart below shows the aggregated numbers of issues identified in each category. Solid colored bars represent issues with a confidence level of Certain, and the bars fade as the confidence level falls.</span><br><br><table cellpadding="0" cellspacing="0" class="overview_table">
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td colspan="6" height="40" align="center" class="label">Number of issues</td>
    </tr>
    <tr>
        <td width="70">&nbsp;</td>
        <td width="90">&nbsp;</td>
        <td width="125"><span class="grad_mark">0</span></td>
        <td width="125"><span class="grad_mark">1</span></td>
        <td width="125"><span class="grad_mark">2</span></td>
        <td width="125"><span class="grad_mark">3</span></td>
        <td width="125"><span class="grad_mark">4</span></td>
    </tr>
    <tr>
        <td rowspan="3" valign="middle" class="label">Severity</td>
        <td class="info">High</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="125" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Medium</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
    <tr>
        <td class="info">Low</td>
        <td colspan="5" height="30">
            <table cellpadding="0" cellspacing="0"><tr><td><img class="bar" src="" width="0" height="16"></td><td><img class="bar" src="" width="125" height="16"></td><td><img class="bar" src="" width="0" height="16"></td></tr></table>
        </td>
        <td>&nbsp;</td>
    </tr>
</table>

<div class="rule"></div>
<h1>Contents</h1>
<p class="TOCH0"><a href="#1">1.&nbsp;Cleartext submission of password</a></p>
<p class="TOCH0"><a href="#2">2.&nbsp;Cookie without HttpOnly flag set</a></p>
<p class="TOCH0"><a href="#3">3.&nbsp;Path-relative style sheet import</a></p>
<p class="TOCH0"><a href="#4">4.&nbsp;Input returned in response (reflected)</a></p>
<p class="TOCH1"><a href="#4.1">4.1.&nbsp;http://192.168.73.145:8081/ [name of an arbitrarily supplied URL parameter]</a></p>
<p class="TOCH1"><a href="#4.2">4.2.&nbsp;http://192.168.73.145:8081/dvwa/css/login.css [URL path filename]</a></p>
<p class="TOCH1"><a href="#4.3">4.3.&nbsp;http://192.168.73.145:8081/dvwa/css/login.css [URL path folder 1]</a></p>
<p class="TOCH1"><a href="#4.4">4.4.&nbsp;http://192.168.73.145:8081/dvwa/css/login.css [URL path folder 2]</a></p>
<p class="TOCH1"><a href="#4.5">4.5.&nbsp;http://192.168.73.145:8081/login.php [URL path filename]</a></p>
<p class="TOCH1"><a href="#4.6">4.6.&nbsp;http://192.168.73.145:8081/login.php [name of an arbitrarily supplied URL parameter]</a></p>
<p class="TOCH1"><a href="#4.7">4.7.&nbsp;http://192.168.73.145:8081/robots.txt [URL path filename]</a></p>
<p class="TOCH0"><a href="#5">5.&nbsp;Frameable response (potential Clickjacking)</a></p>
<p class="TOCH0"><a href="#6">6.&nbsp;Robots.txt file</a></p>
<br><div class="rule"></div>
<span class="BODH0" id="1">1.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00300100_cleartextsubmissionofpassword">Cleartext submission of password</a></span>
<br><a class="PREVNEXT" href="#2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_high_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>High</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The page contains a form with the following action URL, which is submitted over clear-text HTTP:<ul><li>http://192.168.73.145:8081/login.php</li></ul>The form contains the following password field:<ul><li>password</li></ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Some applications transmit passwords over unencrypted connections, making them vulnerable to interception. To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.</p>
<p>Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>Applications should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Cookie: security=impossible; PHPSESSID=k8vm9ej18cv7o560eqjn9br2u5; <br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Thu, 14 Sep 2023 11:07:36 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;div id="content"&gt;<br><br> &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;form action="login.php" method="post"&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;fieldset&gt;<br><b>...[SNIP]...</b><br>&lt;/label&gt; <span class="HIGHLIGHT">&lt;input type="password" class="loginInput" AUTOCOMPLETE="off" size="20" name="password"&gt;</span>&lt;br /&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="2">2.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00500600_cookiewithouthttponlyflagset">Cookie without HttpOnly flag set</a></span>
<br><a class="PREVNEXT" href="#1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_low_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Low</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The following cookie was issued by the application and does not have the HttpOnly flag set:<ul><li><b>PHPSESSID</b></li></ul>The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure makes certain client-side attacks, such as cross-site scripting, slightly harder to exploit by preventing them from trivially capturing the cookie's value via an injected script.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.</p>
<p>You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing. </p></span>
<h2>References</h2>
<span class="TEXT"><ul>
<li><a href='https://www.owasp.org/index.php/HttpOnly'>Configuring HttpOnly</a></li>
</ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<h2>Request</h2>
<div class="rr_div"><span>GET / HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br><br></span></div>
<h2>Response</h2>
<div class="rr_div"><span>HTTP/1.1 302 Found<br>Date: Thu, 14 Sep 2023 11:07:36 GMT<br>Server: Apache/2.4.10 (Debian)<br><span class="HIGHLIGHT">Set-Cookie: PHPSESSID=k8vm9ej18cv7o560eqjn9br2u5; path=/</span><br>Expires: Thu, 19 Nov 1981 08:52:00 GMT<br>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0<br>Pragma: no-cache<br>Set-Cookie: PHPSESSID=k8vm9ej18cv7o560eqjn9br2u5; path=/; httponly<br>Set-Cookie: security=impossible; httponly<br>Location: login.php<br>Content-Length: 0<br>Connection: close<br>Content-Type: text/html; charset=UTF-8<br><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="3">3.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00200328_pathrelativestylesheetimport">Path-relative style sheet import</a></span>
<br><a class="PREVNEXT" href="#2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The application may be vulnerable to path-relative style sheet import (PRSSI) attacks. The first four conditions for an exploitable vulnerability are present (see issue background):<ol><li>The original response contains a path-relative style sheet import (see response 1).</li><li>When superfluous path-like data is placed into the URL following the original filename (see request 2), the application's response still contains a path-relative style sheet import (see response 2).</li><li>Response 2 can be made to render in a browser's quirks mode. The page does not contain a doctype directive, and so it will always be rendered in quirks mode. Further, the response does not prevent itself from being framed, so an attacker can frame the response within a page that they control, to force it to be rendered in quirks mode. (Note that this technique is IE-specific and due to P3P restrictions might sometimes limit the impact of a successful attack.)</li><li>When the path-relative style sheet import in response 2 is requested (see request 3) the application returns something other than the CSS response that was supposed to be imported (see response 3).</li></ol>It was not verified whether condition 5 holds (see issue background), and you should manually investigate whether it is possible to manipulate some text within response 3, to enable full exploitation of this issue.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>Path-relative style sheet import vulnerabilities arise when the following conditions hold:</p>
<ol>
<li>A response contains a style sheet import that uses a path-relative URL (for example, the page at "/original-path/file.php" might import "styles/main.css").</li><li>When handling requests, the application or platform tolerates superfluous path-like data following the original filename in the URL (for example, "/original-path/file.php/extra-junk/"). When superfluous data is added to the original URL, the application's response still contains a path-relative stylesheet import.</li><li>The response in condition 2 can be made to render in a browser's quirks mode, either because it has a missing or old doctype directive, or because it allows itself to be framed by a page under an attacker's control.</li>
<li>When a browser requests the style sheet that is imported in the response from the modified URL (using the URL "/original-path/file.php/extra-junk/styles/main.css"), the application returns something other than the CSS response that was supposed to be imported. Given the behavior described in condition 2, this will typically be the same response that was originally returned in condition 1.</li><li>An attacker has a means of manipulating some text within the response in condition 4, for example because the application stores and displays some past input, or echoes some text within the current URL.</li></ol>
<p>Given the above conditions, an attacker can execute CSS injection within the browser of the target user. The attacker can construct a URL that causes the victim's browser to import as CSS a different URL than normal, containing text that the attacker can manipulate.</p>
<p>Being able to inject arbitrary CSS into the victim's browser may enable various attacks, including:</p>
<ul>
  <li>Executing arbitrary JavaScript using IE's expression() function.</li><li>Using CSS selectors to read parts of the HTML source, which may include sensitive data such as anti-CSRF tokens.</li>
<li>Capturing any sensitive data within the URL query string by making a further style sheet import to a URL on the attacker's domain, and monitoring the incoming Referer header.</li></ul></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The root cause of the vulnerability can be resolved by not using path-relative URLs in style sheet imports. Aside from this, attacks can also be prevented by implementing all of the following defensive measures: </p>
<ul><li>Setting the HTTP response header "X-Frame-Options: deny" in all responses. One method that an attacker can use to make a page render in quirks mode is to frame it within their own page that is rendered in quirks mode. Setting this header prevents the page from being framed.</li><li>Setting a modern doctype (e.g. "&lt;!doctype html&gt;") in all HTML responses. This prevents the page from being rendered in quirks mode (unless it is being framed, as described above).</li>
<li>Setting the HTTP response header "X-Content-Type-Options: nosniff" in all responses. This prevents the browser from processing a non-CSS response as CSS, even if another page loads the response via a style sheet import.</li></ul></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="http://blog.portswigger.net/2015/02/prssi.html">Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities</a></li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16: Configuration</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/<br>Cookie: PHPSESSID=7jkc19hbjl9poc4mrioda1f4s6; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Thu, 14 Sep 2023 11:07:36 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;/title&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;link rel="stylesheet" type="text/css" href="dvwa/css/login.css" /&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;/head&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Request 2</h2>
<div class="rr_div"><span>GET /login.php<span class="HIGHLIGHT">/vcyy9r/</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/<br>Cookie: PHPSESSID=oeevpr0as1fogra296u2djejj2; security=impossible<br><br></span></div>
<h2>Response 2</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Thu, 14 Sep 2023 11:08:00 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br>&lt;/title&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;<span class="HIGHLIGHT">&lt;link rel="stylesheet" type="text/css" href="dvwa/css/login.css" /&gt;</span><br><br> &nbsp;&nbsp;&nbsp;&lt;/head&gt;<br><b>...[SNIP]...</b><br></span></div>
<h2>Request 3</h2>
<div class="rr_div"><span>GET <span class="HIGHLIGHT">/login.php/vcyy9r/dvwa/css/login.css</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/<br>Cookie: PHPSESSID=p0v0c4qt02b221cc6njdcj8097; security=impossible<br><br></span></div>
<h2>Response 3</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Thu, 14 Sep 2023 11:08:00 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="4">4.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00400c00_inputreturnedinresponsereflected">Input returned in response (reflected)</a></span>
<br><a class="PREVNEXT" href="#3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#5">Next</a>
<br>
<br><span class="TEXT">There are 7 instances of this issue:
<ul>
<li><a href="#4.1">/ [name of an arbitrarily supplied URL parameter]</a></li>
<li><a href="#4.2">/dvwa/css/login.css [URL path filename]</a></li>
<li><a href="#4.3">/dvwa/css/login.css [URL path folder 1]</a></li>
<li><a href="#4.4">/dvwa/css/login.css [URL path folder 2]</a></li>
<li><a href="#4.5">/login.php [URL path filename]</a></li>
<li><a href="#4.6">/login.php [name of an arbitrarily supplied URL parameter]</a></li>
<li><a href="#4.7">/robots.txt [URL path filename]</a></li>
</ul></span>
<h2>Issue background</h2>
<span class="TEXT"><p>Reflection of input arises when data is copied from a request and echoed into the application's immediate response.</p><p>Input being returned in application responses is not a vulnerability in its own right. However, it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open redirection, content spoofing, and response header injection. Additionally, some server-side vulnerabilities such as SQL injection are often easier to identify and exploit when input is returned in responses. In applications where input retrieval is rare and the environment is resistant to automated testing (for example, due to a web application firewall), it might be worth subjecting instances of it to focused manual testing. </p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input Validation</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or Escaping of Output</a></li>
</ul></span>
<br><br><div class="rule"></div>
<span class="BODH1" id="4.1">4.1.&nbsp;http://192.168.73.145:8081/ [name of an arbitrarily supplied URL parameter]</span>
<br><a class="PREVNEXT" href="#4.2">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The name of an arbitrarily supplied URL parameter is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php/<span class="HIGHLIGHT">'%22%3e%3csvg%2fonload%3dfetch%60%2f%2fvuto2li4yn673hl9lozf0lh7dyjr7ivalyfl69v%5c.burpcollaborator.net%60%3e</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/<br>Cookie: PHPSESSID=ijt4ie63jlloh82g90vdhn1iq4; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:09:07 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 390<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /login.php/<span class="HIGHLIGHT">'&amp;quot;&amp;gt;&amp;lt;svg/onload=fetch`//vuto2li4yn673hl9lozf0lh7dyjr7ivalyfl69v\.burpcollaborator.net`&amp;gt;</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="4.2">4.2.&nbsp;http://192.168.73.145:8081/dvwa/css/login.css [URL path filename]</span>
<br><a class="PREVNEXT" href="#4.1">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4.3">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/dvwa/css/login.css</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path filename is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /dvwa/css/login.css<span class="HIGHLIGHT">ipnzkrqgnt</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/login.php<br>Cookie: PHPSESSID=7i7r56147s54bohe8cmld82so5; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:07:54 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 308<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /dvwa/css/login.css<span class="HIGHLIGHT">ipnzkrqgnt</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="4.3">4.3.&nbsp;http://192.168.73.145:8081/dvwa/css/login.css [URL path folder 1]</span>
<br><a class="PREVNEXT" href="#4.2">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4.4">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/dvwa/css/login.css</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path folder 1 is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /dvwa<span class="HIGHLIGHT">t3z3ofmp6z</span>/css/login.css HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/login.php<br>Cookie: PHPSESSID=7i7r56147s54bohe8cmld82so5; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:07:50 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 308<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /dvwa<span class="HIGHLIGHT">t3z3ofmp6z</span>/css/login.css was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="4.4">4.4.&nbsp;http://192.168.73.145:8081/dvwa/css/login.css [URL path folder 2]</span>
<br><a class="PREVNEXT" href="#4.3">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4.5">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/dvwa/css/login.css</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path folder 2 is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /dvwa/css<span class="HIGHLIGHT">6qoy3kfcvt</span>/login.css HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/login.php<br>Cookie: PHPSESSID=7i7r56147s54bohe8cmld82so5; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:07:52 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 308<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /dvwa/css<span class="HIGHLIGHT">6qoy3kfcvt</span>/login.css was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="4.5">4.5.&nbsp;http://192.168.73.145:8081/login.php [URL path filename]</span>
<br><a class="PREVNEXT" href="#4.4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4.6">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/login.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path filename is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php<span class="HIGHLIGHT">v2tmhkjg4k</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/<br>Cookie: PHPSESSID=cjatja07qfoollgqfj712g9897; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:07:57 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 299<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /login.php<span class="HIGHLIGHT">v2tmhkjg4k</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="4.6">4.6.&nbsp;http://192.168.73.145:8081/login.php [name of an arbitrarily supplied URL parameter]</span>
<br><a class="PREVNEXT" href="#4.5">Previous</a>
&nbsp;<a class="PREVNEXT" href="#4.7">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/login.php</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The name of an arbitrarily supplied URL parameter is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>POST /login.php/<span class="HIGHLIGHT">'%22%3e%3csvg%2fonload%3dfetch%60%2f%2ffxg855lo179r61oto82z35krgimba5yxoli8awz%5c.burpcollaborator.net%60%3e</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Referer: http://192.168.73.145:8081/login.php<br>Content-Type: application/x-www-form-urlencoded<br>Content-Length: 97<br>Cookie: PHPSESSID=rdqlqiph5rliqllh7ruuq4qlj4; security=impossible<br><br>username=yvRSEjxH&amp;password=m0G%21v7y%21D0&amp;Login=Login&amp;user_token=e7175eef7a18553745e5a98023c9fc1d</span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:09:07 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 390<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /login.php/<span class="HIGHLIGHT">'&amp;quot;&amp;gt;&amp;lt;svg/onload=fetch`//fxg855lo179r61oto82z35krgimba5yxoli8awz\.burpcollaborator.net`&amp;gt;</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH1" id="4.7">4.7.&nbsp;http://192.168.73.145:8081/robots.txt [URL path filename]</span>
<br><a class="PREVNEXT" href="#4.6">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/robots.txt</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The value of the URL path filename is copied into the application's response.</span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /robots.txt<span class="HIGHLIGHT">n0g2enn9mj</span> HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 404 Not Found<br>Date: Thu, 14 Sep 2023 11:07:45 GMT<br>Server: Apache/2.4.10 (Debian)<br>Content-Length: 300<br>Connection: close<br>Content-Type: text/html; charset=iso-8859-1<br><br>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;<br>&lt;html&gt;&lt;head&gt;<br>&lt;title&gt;404 Not Found&lt;/title&gt;<br>&lt;/head&gt;&lt;body&gt;<br>&lt;h1&gt;Not Found&lt;/h1&gt;<br>&lt;p&gt;The requested URL /robots.txt<span class="HIGHLIGHT">n0g2enn9mj</span> was not found on this server.&lt;/p&gt;<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="5">5.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/005009a0_frameableresponsepotentialclickjacking">Frameable response (potential Clickjacking)</a></span>
<br><a class="PREVNEXT" href="#4">Previous</a>
&nbsp;<a class="PREVNEXT" href="#6">Next</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_firm_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Firm</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/</b></td>
</tr>
</table>
<h2>Issue description</h2>
<span class="TEXT"><p>If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker can cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defenses against cross-site request forgery, and may result in unauthorized actions.</p>
<p>Note that some applications attempt to prevent these attacks from within the HTML page itself, using "framebusting" code. However, this type of defense is normally ineffective and can usually be circumvented by a skilled attacker.</p>
<p>You should determine whether any functions accessible within frameable pages can be used by application users to perform any sensitive actions within the application. </p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>To effectively prevent framing attacks, the application should return a response header with the name <b>X-Frame-Options</b> and the value <b>DENY</b> to prevent framing altogether, or the value <b>SAMEORIGIN</b> to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites.</p></span>
<h2>References</h2>
<span class="TEXT"><ul><li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options">X-Frame-Options</a></li></ul></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693: Protection Mechanism Failure</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET /login.php HTTP/1.1<br>Host: 192.168.73.145:8081<br>Accept-Encoding: gzip, deflate<br>Accept: */*<br>Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36<br>Connection: close<br>Cache-Control: max-age=0<br>Cookie: security=impossible; PHPSESSID=k8vm9ej18cv7o560eqjn9br2u5; <br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Thu, 14 Sep 2023 11:07:36 GMT<br>Server: Apache/2.4.10 (Debian)<br>Expires: Tue, 23 Jun 2009 12:00:00 GMT<br>Cache-Control: no-cache, must-revalidate<br>Pragma: no-cache<br>Vary: Accept-Encoding<br>Content-Length: 1523<br>Connection: close<br>Content-Type: text/html;charset=utf-8<br><br><br>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;<br><br>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br><br> &nbsp;&nbsp;&nbsp;&lt;head&gt;<br><br> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&lt;meta http-equiv="Content<br><b>...[SNIP]...</b><br></span></div>
<div class="rule"></div>
<span class="BODH0" id="6">6.&nbsp;<a href="https://portswigger.net/knowledgebase/issues/details/00600600_robotsdottxtfile">Robots.txt file</a></span>
<br><a class="PREVNEXT" href="#5">Previous</a>
<br>
<h2>Summary</h2>
<table cellpadding="0" cellspacing="0" class="summary_table">
<tr>
<td rowspan="4" class="icon" valign="top" align="center"><div class='scan_issue_info_certain_rpt'></div></td>
<td>Severity:&nbsp;&nbsp;</td>
<td><b>Information</b></td>
</tr>
<tr>
<td>Confidence:&nbsp;&nbsp;</td>
<td><b>Certain</b></td>
</tr>
<tr>
<td>Host:&nbsp;&nbsp;</td>
<td><b>http://192.168.73.145:8081</b></td>
</tr>
<tr>
<td>Path:&nbsp;&nbsp;</td>
<td><b>/robots.txt</b></td>
</tr>
</table>
<h2>Issue detail</h2>
<span class="TEXT">The web server contains a robots.txt file.</span>
<h2>Issue background</h2>
<span class="TEXT"><p>The file robots.txt is used to give instructions to web robots, such as search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.</p>
<p>The presence of the robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site's contents. The information in the file may therefore help an attacker to map out the site's contents, especially if some of the locations identified are not linked from elsewhere in the site. If the application relies on robots.txt to protect access to these areas, and does not enforce proper access control over them, then this presents a serious vulnerability.</p></span>
<h2>Issue remediation</h2>
<span class="TEXT"><p>The robots.txt file is not itself a security threat, and its correct use can represent good practice for non-security reasons. You should not assume that all web robots will honor the file's instructions. Rather, assume that attackers will pay close attention to any locations identified in the file. Do not rely on robots.txt to provide any kind of protection over unauthorized access.</p></span>
<h2>Vulnerability classifications</h2><span class="TEXT"><ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a></li>
</ul></span>
<h2>Request 1</h2>
<div class="rr_div"><span>GET <span class="HIGHLIGHT">/robots.txt</span> HTTP/1.1<br>Host: 192.168.73.145<br>Connection: close<br>Cookie: PHPSESSID=c9m0e9tr068p88c8kjjbu9pqi2; security=impossible<br><br></span></div>
<h2>Response 1</h2>
<div class="rr_div"><span>HTTP/1.1 200 OK<br>Date: Thu, 14 Sep 2023 11:07:38 GMT<br>Server: Apache/2.4.10 (Debian)<br>Last-Modified: Wed, 04 Jan 2017 09:34:35 GMT<br>ETag: "1a-545417e2380c0"<br>Accept-Ranges: bytes<br>Content-Length: 26<br>Connection: close<br>Content-Type: text/plain<br><br>User-agent: *<br>Disallow: /</span></div>
<div class="rule"></div>
<span class="TEXT"><br>Report generated by Burp Suite <a href="https://portswigger.net/vulnerability-scanner/">web vulnerability scanner</a> v2020.2, at Thu Sep 14 11:13:16 CST 2023.<br><br></span>
</div>
</body>
</html>
